We’ve been talking about passwords for decades. You’d think by now every business would have this figured out. They haven’t.

I still see shared admin credentials on sticky notes. I still see “Company2026!” as the default password for new starters. I still see the same password used across email, accounting software, and the office Wi-Fi. In 2026. At businesses that consider themselves reasonably tech-savvy.

Let’s go through the most common password mistakes I encounter when working with Australian SMBs, and what to actually do about each one.

Mistake 1: Password Reuse Across Systems

This is the big one. When the same password is used for a staff member’s email, CRM, accounting platform, and project management tool, a breach of any one of those services compromises all of them. And breaches are constant — Have I Been Pwned currently lists over 14 billion compromised accounts.

The attack pattern is called credential stuffing. Criminals take email/password combinations from one breach and automatically try them against thousands of other services. If your employee uses the same password for their personal email (breached in 2024) and your business accounting software, the attacker gets in without any sophisticated hacking at all.

What to do instead: Mandate a password manager for every employee. LastPass, 1Password, or Bitwarden — pick one, roll it out company-wide, and require its use. Password managers generate unique, complex passwords for every service and store them securely. The employee only needs to remember one master password. The business cost is typically $4-8 per user per month. That’s trivial compared to the risk.

Mistake 2: Not Using Multi-Factor Authentication

MFA isn’t optional anymore. It just isn’t. Yet I routinely encounter Australian businesses where email accounts, cloud storage, and even banking are protected by passwords alone.

The Australian Signals Directorate’s Essential Eight lists MFA as a foundational control. Not aspirational. Foundational. It’s one of the first things any security assessment will check, and one of the first things an insurer will ask about when you make a claim.

The data is unambiguous. Microsoft reports that MFA blocks 99.9% of automated account compromise attacks. Google’s internal data shows similar numbers. Even imperfect MFA (SMS-based, which is vulnerable to SIM-swapping) is vastly better than no MFA at all.

What to do instead: Enable MFA on every business system that supports it. Prioritise email and identity providers (Microsoft 365, Google Workspace) first, then accounting software, CRM, and cloud storage. Use authenticator apps (Microsoft Authenticator, Google Authenticator) or hardware keys (YubiKey) over SMS where possible. Make it a condition of employment, not a suggestion.

Mistake 3: Predictable Password Patterns

Mandatory complexity requirements — “must contain uppercase, lowercase, number, and special character” — led to an unintended consequence. People create passwords that technically meet the rules but are completely predictable.

CompanyName2026! Sydney#Summer Melbourne@2025 Password1! Welcome123$

These passwords meet every complexity requirement and are among the first things attackers try. Password cracking tools include dictionaries of common patterns, company names, city names, seasons, and years. A “complex” password that follows a predictable pattern is barely better than “password.”

What to do instead: Move to passphrases. A passphrase like “correct horse battery staple” (to use the famous XKCD example) is both stronger and easier to remember than “C0mpl3x!Pass.” The NIST guidelines (which Australia’s ASD largely follows) now recommend longer passwords over complex ones. Set a minimum length of 14 characters, drop the complexity requirements, and encourage three-to-five random words as the format.

Mistake 4: Shared Accounts and Credentials

“Just use the admin login” is a phrase that makes security professionals wince. But shared accounts remain widespread, particularly for:

• Social media management (everyone uses the same Facebook login)
• Shared email inboxes ([email protected] with one password)
• Admin portals for website CMS, hosting, or domain management
• Physical security systems (CCTV, alarm panels)

Shared credentials create two problems. First, you can’t track who did what. If something goes wrong — a malicious post, an accidental deletion, a data export — you have no audit trail. Second, when someone leaves the business, you need to change every shared password. In practice, this almost never happens promptly.

What to do instead: Every person gets their own account, everywhere. For systems that don’t support multiple users (some older CCTV systems, for example), document the shared credential in your password manager and change it immediately when any person with access leaves. For social media, use a management platform like Hootsuite or Buffer that provides individual user access to shared accounts.

Mistake 5: Never Changing Compromised Passwords

The old advice was “change your password every 90 days.” Modern guidance has moved away from forced rotation because it leads to predictable increment patterns (Summer2025 becomes Autumn2025 becomes Winter2025). But some businesses interpreted “don’t force rotation” as “never change passwords.” That’s not right either.

Passwords should be changed when there’s a reason to change them: a known breach of a service you use, a departing employee, a suspected compromise, or a security incident. The problem is that most businesses have no process for monitoring breaches and triggering password changes.

What to do instead: Subscribe to breach notification services. Have I Been Pwned offers a domain-wide monitoring service that alerts you when any email address at your domain appears in a breach. Set up a simple process: when a breach notification arrives, the affected employee changes their password for that service immediately and checks whether the same password was used anywhere else (another reason password managers are essential — they can audit for reused passwords).

Mistake 6: Weak Recovery and Reset Processes

Your password is only as strong as your recovery mechanism. If someone can reset a password by answering “What’s your mother’s maiden name?” — information that’s often available on social media or public records — then the password itself is irrelevant.

I’ve seen businesses where the IT admin resets passwords over the phone without any verification. “Hi, it’s Sarah, I’m locked out, can you reset my password?” How does the admin know it’s Sarah? They don’t.

What to do instead: Implement a verified reset process. For self-service resets, require MFA verification (send a code to the user’s verified mobile). For admin-assisted resets, require the user to verify their identity through a predetermined method — an in-person visit, a video call, or a pre-registered verification question that isn’t publicly discoverable. Set temporary passwords to expire immediately, forcing the user to set a new one at first login.

Mistake 7: Ignoring Service Accounts and API Keys

Human user passwords get all the attention. But what about the service accounts running your automated processes? The API keys connecting your CRM to your email platform? The database credentials hardcoded in an application deployed three years ago?

Service account credentials are frequently set once and never rotated. They often have broad permissions. And they’re exactly what an attacker looks for once they’ve gained initial access to your network.

What to do instead: Inventory all service accounts and API keys. Document who created them, what they access, and when they were last rotated. Set calendar reminders for quarterly rotation of critical service credentials. Where possible, use short-lived tokens instead of permanent API keys — most modern cloud platforms support this.

The Core Message

None of this is complicated. None of it is expensive. A password manager, MFA everywhere, passphrases instead of complex passwords, individual accounts, breach monitoring, secure reset processes, and service account hygiene. The total cost is measured in hundreds of dollars per month, not thousands.

The businesses that get breached through password failures in 2026 aren’t getting breached because the attacks are sophisticated. They’re getting breached because the basics aren’t in place. Don’t be that business.